From: William Lallemand <wlallemand@haproxy.com>
Date: Fri, 7 Feb 2020 19:45:24 +0000 (+0100)
Subject: BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init
X-Git-Tag: v2.2-dev3~98
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=696f317f13151e4427e3f9a8b560730ed6a7bb40;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: ssl/cli: 'commit ssl cert' wrong SSL_CTX init

The code which is supposed to apply the bind_conf configuration on the
SSL_CTX was not called correctly. Indeed it was called with the previous
SSL_CTX so the new ones were left with default settings. For example the
ciphers were not changed.

This patch fixes #429.

Must be backported in 2.1.
---

diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 7698eec7fb..67e086dff2 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -10617,8 +10617,8 @@ static int cli_io_handler_commit_cert(struct appctx *appctx)
 						new_inst->is_default = 1;
 
 					/* we need to initialize the SSL_CTX generated */
-					/* TODO: the prepare_ctx function need to be reworked to be safer there */
-					list_for_each_entry_safe(sc0, sc0s, &ckchi->sni_ctx, by_ckch_inst) {
+					/* this iterate on the newly generated SNIs in the new instance to prepare their SSL_CTX */
+					list_for_each_entry_safe(sc0, sc0s, &new_inst->sni_ctx, by_ckch_inst) {
 						if (!sc0->order) { /* we initiliazed only the first SSL_CTX because it's the same in the other sni_ctx's */
 							errcode |= ssl_sock_prepare_ctx(ckchi->bind_conf, ckchi->ssl_conf, sc0->ctx, &err);
 							if (errcode & ERR_CODE)